Find a Question:

OlympicDestroyer software traps e-security community

Mar

13

2018

Kaspersky Lab ‘s global research and analysis team has released its own research findings on malicious software attacks called OlympicDestroyer, providing technical proof of a sophisticated fake banner developed by the worm’s attacker in order to hit the threat systems.

OlympicDestroyer, whose name means the “Olympic destroyer,” was the headline in the media at the Winter Olympics in Pyeongchang , where electronic attacks led to a temporary paralysis in IT systems ahead of the official opening ceremony of the tournament, Which was closed last February, shutting down the screens, disrupting the wireless Internet and closing the Olympic site. Visitors were unable to print tickets for games and matches.

Kaspersky Lab also found that many of the facilities at the ski resorts hosting the tournament in South Korea suffered damage from the worm. The sabotage included failures in the work of the ski gates and ski lifts, and the ability of this malicious software to subvert was apparent, although the actual impact of the attacks was Limited.

However, the real interest shown by the e-security sector in this incident was not in actual or potential harm, but in the origin of this malicious code. Perhaps any other sophisticated malicious software has not already received so many support hypotheses that were developed for the malicious OlympicDestroyer software, Which research teams around the world have linked to saboteurs in Russia, China and North Korea within a few days of its discovery, based on a number of features previously attributed to espionage and subversion allegedly from these countries or working for their governments.

Researchers at Kaspersky Lab also tried to identify the subversive group behind this malicious code and found at some point their research something that seemed to be a compelling evidence linking malicious software to the notorious Lazarus group, which is supported by the North Korean government.

This conclusion was based on a unique impact left by the attackers. A combination of certain characteristics of the software code development environment and stored in its files can be considered a unique imprint, which in some cases clearly identifies the developer of the malicious software, its projects and its objectives.

The fingerprint in the sample analyzed by Kaspersky Lab experts gave 100 percent parity with the previously known malware components of the Lazarus ring and did not overlap at all with any other clean or malicious file known to Kaspersky Lab.In view of other similarities in the tactics, methods and procedures of the Lazarus gang, the researchers made a preliminary conclusion that OlympicDestroyer was another subversion done by the gang.

However, the different motivations and other contradictions with the tactics, methods and procedures of Lazarus, discovered during the Kaspersky Lab investigation into the location of the infiltrated facility in South Korea, have made researchers reconsider this rare act of sabotage.

After taking a closer look at the evidence and conducting a manual verification of each characteristic, the researchers found that the set of characteristics did not match the code, as they were rigged to fit perfectly with the Lazarus ring finger.

As a result, the researchers concluded that the fingerprint was a highly sophisticated fake flag deliberately placed inside the malicious code in order to alert the competent authorities to alert them to threats that they had found a hard evidence, which would mislead them away from the strict attribution path.

“The evidence that the research team was able to find has not been used in the past as far as we know,” said Vitali Kamluk, head of the Pacific Asia Research Group at Kaspersky Lab.

“The vandals relied on the fact that this forgery is difficult to prove. It seems as though a criminal stole someone else’s DNA and left him at the scene to mislead the investigators, but we discovered and proved that DNA,” he said, Which is located in the crime scene has been put there deliberately, and this shows how prepared the attackers to make great efforts to remain anonymous for as long as possible, and we have always said that attribution in cyberspace is very difficult, where you can fake a lot of things, and the malicious program OlympicDestroyer only clarify Careful for this. ”

“What has happened to us shows how important it is to take attribution seriously. Given the recent politicization of cyberspace, erroneous attribution can have serious consequences, and actors may begin to try to manipulate the security community’s view to influence,” Kamlock said. On political agendas in areas of tension. ”

However, Kaspersky Lab researchers found that the attackers used the NordVPN privacy service and a hosting service called MonoVM, both of whom accept the cookie, and found that this is a unique example of a highly sophisticated fake banner. Features along with some of the tactics, methods and procedures discovered are used by the Russian-speaking Sofacy subversive group.